It was discovered that our current RoleBindings implementation is not going to work well. We need to change RoleBindings from using Role to ClusterRole (by default). Here is the example change in yaml form:

change this:

  roleBindings:
    - namespace: ns01
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: kubevirt.io:admin

 
to this:

  roleBindings:
    - namespace: ns01
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: kubevirt.io:admin

Confirmed by Joshua:
https://redhat-internal.slack.com/archives/C08HJNGCUUC/p1747930792782719
 
We need to do this because ClusterRoles can be used in any namespaces with RollBindings, meaning we can have 3 predefine cluster roles:
['kubevirt.io:view', 'kubevirt.io:edit', 'kubevirt.io:admin']
 
Even if we get them by label, they should still be ClusterRole because then they can be used with ClusterRoleBinding and RoleBindings. If we went with the current configuration and only used Role with all RoleBindings, then the above pre-configured kubevirt roles would need to be in ALL potential namespaces to be usable.
 
For tech preview, easiest way for us is to just change Role to ClusterRole everywhere. However we should also consider that Role is a valid roleRef kind.